How to recover data encrypted by CryptoDefense ransomware

Last year, CryptoLocker ransomware hit the headlines after infecting hundreds of thousands of computers and encrypting the data, and backups of that data to any connected device, with the promise of decryption on payment of a fee. This kind of IT extortion is profitable for the bad guys as it targets the people who are least likely to be in a position to do anything but pay; the people who are most likely to get infected are the same folk who are least likely to have an offsite backup or know how to get help with such a problem. This year we have CryptoDefense doing much the same thing, and already apparently infecting and encrypting many tens of thousands of victims. It targets the same victim profile, although in truth as with all such malware a scattergun approach to infection/distribution is employed; the targeting is in terms of who is most likely to pay up once infected. CryptoDefense hits text files, PDFs and Office files, images and video which are encrypted using a RSA-2049 key making it all but impossible recover data without that key. Like CryptoLocker before it, it also looks to disable backup and this time it appears to wipe out any shadow copies of data before encryption and putting up the ransom notice for a $500 unlocking fee.

So what can you do? Well you can avoid being infected in the first place, that's the most valuable piece of advice. Ensure you have up to date security protection on your device, and don't get caught out by phishing attacks which use the 'open this' or 'click here' method of attack. CryptoDefense originally infected victims by getting them to install a bogus Flash update or video codec when they tried to view some spurious video footage or other, but is understood to have morphed to the other phishing methodologies by now.

So what if you have been infected? Well, with sophisticated ransomware you generally have only two options: pay the ransom or reformat and backup. The former is a contentious issue, with some security experts recommending paying up and trusting the criminals not to abuse your credit card data and to provide you with a working key. I am not in that camp, and wonder why I would trust someone who has already blackmailed me into paying a fee like this and who obviously doesn't care if I get my data back or not? The second option isn't always much better either as it relies upon many variables, including whether your backup data has been infected/encrypted, whether your PC is accessible enough to perform a full reformat and start again, and so on. In the case of CryptoDefense there is a third way, for a lucky (or should I say unlucky) few whose computers were infected before April 1st, 2014.

Whereas CryptoLocker generated the RSA key pair on the remote command and control server, CryptoDefense initially used the Windows CryptoAPI instead. What the criminals didn't bargain for was that this would create a local copy of the RSA keys, meaning that the key to unlock the encrypted data didn't need a ransom paying at all as it was sitting right there on the user's system itself. Security researchers quickly developed tools that would look for and retrieve this key, and unlock the CryptoDefense encrypted data. Job was a good one, with the folk at in the Emsisoft Malware Research Team who developed this tool seeking out victims and helping them in private so as not to tip the hand of the malware creators to the mistake. Other researchers and vendors were not quite so careful, and after Symantec went public with the news that it had found the keys on victim's computers the CryptoDefense developer started distributing an amended version of the malware which removed the keys. So, if you were infected before April 1st then the Emsisoft decryptor might still be able to help you.

Download the zip file to your desktop and extract all. The folder it installs has two files, CryptoOffense.exe that is sued to extract the encryption key to a secret.key file which is used if you want to decrypt the encrypted files on a different computer. Otherwise, the other file called decrypt_cryptodefense.exe will be the one you want. Double-clicking this, when logged into the infected machine, starts the decryptor tool running. It searches for folders with encrypted files and simple hitting the Decrypt button will set it off looking for the decryption key. If found, the decryption process will start automatically. If the 'No Key Found' alert is displayed instead, then I'm afraid you are out of luck and your data is probably lost.

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

I see your pain there. I've not read of anyone successfully paying for a working key.
This only serves to reinforce my monthly (or so) practice of making images of all partitions, and then putting the image drive offline. I do daily backups, too, but they are online, and so fraught.
If they've done over the US army, I wonder how long it will be before a cloud gets rained upon...?